AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
Sigma rule (View on GitHub)
1title: AppX Package Deployment Failed Due to Signing Requirements
2id: 898d5fc9-fbc3-43de-93ad-38e97237c344
3status: test
4description: |
5 Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
6references:
7 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
8 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
9 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12modified: 2025-12-03
13tags:
14 - attack.defense-evasion
15logsource:
16 product: windows
17 service: appxdeployment-server
18detection:
19 selection:
20 EventID: 401
21 ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
22 condition: selection
23falsepositives:
24 - Legitimate AppX packages not signed by MS used part of an enterprise.
25level: medium
References
-
Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.
Read More -
Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.
Read More
Related rules
- AppX Located in Known Staging Directory Added to Deployment Pipeline
- AppX Located in Uncommon Directory Added to Deployment Pipeline
- Deployment AppX Package Was Blocked By AppLocker
- Deployment Of The AppX Package Was Blocked By The Policy
- Microsoft Malware Protection Engine Crash